Found an elegant way to steal WhatsApp accounts

Posted by

A new attack, not related to the vulnerabilities of the messenger itself, threatens WhatsApp users with loss of control over their account. You can protect yourself with the help of mindfulness and two-factor authorization.

Special number

CloudSEK experts have discovered a new trick that allows them to take control of WhatsApp accounts. This is not the easiest task, and the implementation of the attack requires some social engineering, but in general the problem is quite dangerous.

The method is based on the use of automated call forwarding services from mobile operators, with which you can intercept the WhatsApp one-time password sent as a voice message.

The attacker will need to know the phone number of the potential victim, as well as convince them to call a special number starting with an MMI code (such numbers start with * or #) in order to allow call forwarding. Such a code is operator dependent; calls can be redirected to other numbers or terminals if the line is busy or the called party does not answer.

In fact, the victim herself allows her calls to be redirected to the attacker’s number. Next, the attacker has to try to relink someone else’s WhatsApp account to his device and request a confirmation code in the form of a voice message, not SMS (by default, the code comes in the form of SMS).

Trick discovered to hijack WhatsApp accounts

Here, however, lie the key difficulties for attackers. First, they must know the MMI code, which redirects all calls from the victim’s set, regardless of the current state of her line. Secondly, the victim needs to speak his teeth all this time (obviously, from a different number) so that he does not pay attention to the SMS warning that they are trying to register his account on a new device. The attacker must have time to receive a voice message with a one-time password and enter it before the victim suspects something is wrong.

Well, and most importantly, a very noticeable warning is displayed on the victim’s smartphone, overlapping all other windows, that call forwarding is enabled.

For social engineering professionals

However, according to CloudSEK, a social engineering professional can easily force the victim to do whatever he wants and distract him from suspicious details.

Security of the most valuable: how to really protect your documents


Protecting yourself from attacks, however, is quite simple: you need to enable two-factor authentication in WhatsApp, so that each time you connect your smartphone to the WhatsApp network, you will need to enter a PIN.

“With due diligence on the part of the attacker, PIN can also be swindled using social engineering,” says Dmitry Kiryukhin, Information Security Expert at SEQ. “However, in the described scenario, there are too many risk factors for an attacker. You have to be very persuasive in order for the victim to allow their account to be compromised in this way.

We are not talking about a WhatsApp vulnerability in this case, only about the abuse of cellular communication functions for an attack. However, problems are regularly identified in the messenger itself: for example, at the very beginning of 2022, a vulnerability was found that allowed viewing messages deleted by the interlocutor without his permission.

Roman Georgiev

Source link

Leave a Reply

Your email address will not be published.